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Abstract. We derive a new entropic quantum uncertainty relation involving min-entropy. The 
relation is tight and can be applied in various quantum-cryptographic settings. 
Protocols for quantum l-out-of-2 Oblivious Transfer and quantum Bit Commitment are presented 
and the uncertainty relation is used to prove the security of these protocols in the bounded- 
quantum-storage model according to new strong security definitions. 
• As another application, we consider the realistic setting of Quantum Key Distribution (QKD) 

against quantum-memory-bounded eavesdroppers. The uncertainty relation allows to prove the 
security of QKD protocols in this setting while tolerating considerably higher error rates compared 
to the standard model with unbounded adversaries. For instance, for the six-state protocol with 
one-way communication, a bit-flip error rate of up to 17% can be tolerated (compared to 13% in 
the standard model). 

Our uncertainty relation also yields a lower bound on the min-entropy key uncertainty against 
known-plaintext attacks when quantum ciphers are composed. Previously, the key uncertainty of 
these ciphers was only known with respect to Shannon entropy. 
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A problem often encountered in quantum cryptography is the following: through some inter- 
action between the players, a quantum state p is generated and then measured by one of the 
players (call her Alice in the following). Assuming Alice is honest, we want to know how unpre- 
dictable her measurement outcome is to the adversary. Once a lower bound on the adversary's 
uncertainty about Alice's measurement outcome is established, it is usually easy to prove the 
desired security property of the protocol. Many existing constructions in quantum cryptography 
have been proved secure following this paradigm. 

Typically, Alice does not make her measurement in a fixed basis, but chooses at random 
among a set of different bases. These bases are usually chosen to be pairwise mutually unbiased, 
meaning that if p is such that the measurement outcome in one basis is fixed then this implies 
that the uncertainty about the outcome of the measurement in the other basis is maximal. In 
this way, one hopes to keep the adversary's uncertainty high, even if p is (partially) under the 
adversary's control. 

An inequality that lower bounds the adversary's uncertainty in such a scenario is called an 
uncertainty relation. There exist uncertainty relations for different measures of uncertainty, but 
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cryptographic applications typically require the adversary's min-entropy to be bounded from 
below. 

In this paper, we introduce a new general and tight entropic uncertainty relation. Since 
the relation is expressed in terms of high-order entropy (i.e. min-entropy), it is applicable to 
a large class of natural protocols in quantum cryptography. In particular, the new relation 
can be applied in situations where an n-qubit state p has each of its qubits measured in a 
random and independent basis sampled uniformly from a fixed set B of bases. B does not 
necessarily have to be mutually unbiased, but we assume a lower bound h (i.e. an average 
entropic uncertainty bound) on the average Shannon entropy of the distribution P$, obtained 
by measuring an arbitrary 1-qubit state in basis $ G B, meaning that ^jE^H(P^) > h. 

Uncertainty Relation (informal) : Let B be a set of bases with an average entropic uncer- 
tainty bound h as above. Let Pg denote the probability distribution defined by measuring an 
arbitrary n-qubit state p in basis 9 E B n . For a 9 G# B n chosen uniformly at random, it holds 
except with negligible probability that 

ttoo(Pe)>nh. (1) 

Observe that (pQ) cannot be improved significantly since the min-entropy of a distribution 
is at most equal to the Shannon entropy. Our uncertainty relation is therefore asymptotically 
tight when the bound h is tight. 

Any lower bound on the Shannon entropy associated to a set of measurements B can be 
used in ([T]). In the special case where the set of bases is B = {+, x} (i.e. the two BB84 bases), 
h is known precisely using Maassen and Uffink's entropic relation, see inequality © below. We 
get h = \ and ([I]) results in 'H. 00 (Pg) > ^. Uncertainty relations for the BB84 coding scheme [3] 
are useful since this coding is widely used in quantum cryptography. Its resilience to imperfect 
quantum channels, sources, and detectors is an important advantage in practice. 

We now discuss applications of our high-order uncertainty relation to important scenarios 
in cryptography: two-party cryptography, quantum key distribution and quantum encryption. 

Application I: Two-Party Cryptography in the Bounded- Quantum- Storage Model. Entropic un- 
certainty relations are powerful tools for the security analysis of cryptographic protocols in the 
bounded-quantum-storage model. In this model, the adversary is unbounded in every respect, 
except that at a certain time, his quantum memory is reduced to a certain size (by perform- 
ing some measurement). In |13| . an uncertainty relation involving min-entropy was shown and 
used in the analysis of protocols for Rabin oblivious transfer (ROT) and bit commitment. This 
uncertainty relation only applies in the case when n qubits are all measured in one out of two 
mutually unbiased bases. 

A major difference between our result ([T]) and the one from [13] is that while both relations 
bound the min-entropy conditioned on an event, this event happens in our case with proba- 
bility essentially 1 (on average) whereas the corresponding event from [13] only happens with 
probability about 1/2. In Sect. [H we prove the following: 

1-2 OT in the Bounded- Quantum-Storage Model: There exists a non-interactive protocol 
for l-out-of-2 oblivious transfer (1-2 OT) of l-bit messages, secure against adversaries with 
quantum memory size at most n/4 — 2£. Here, n is the number of qubits transmitted in the 
protocol and £ can be a constant fraction of n. Honest players need no quantum memory. 

Since all flavors of OT are known to be equivalent under classical information-theoretic 
reductions, and a ROT protocol is already known from [13] . the above result may seem in- 
significant. This is not the case, however, for several reasons: First, although it may in principle 
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be possible to obtain a protocol for 1-2 OT from the ROT protocol of [J3] using the standard 
black-box reduction, the fact that we need to call the ROT primitive many times would force 
the bound on the adversary's memory to be su&linear (in the number of transmitted qubits). 
Second, the techniques used in [13] do not seem applicable to 1-2 OT, unless via the inefficient 
generic reduction to ROT. And, third, we prove security according to a stronger definition than 
the one used in [13], namely a quantum version of a recent classical definition for information 
theoretic 1-2 OT [10J. The definition ensures that all (dishonest) players' inputs are well defined 
(and can be extracted when formalized appropriately). In particular, this implies security under 
sequential composition whereas composability of the protocol from [13] was not proven. 

Furthermore, our techniques for 1-2 OT imply almost directly a non-interactive bit com- 
mitment scheme (in the bounded-quantum-storage model) satisfying a composable security 
definition. As an immediate consequence, we obtain secure string commitment schemes. This 
improves over the bit commitment construction of [13] . respectively its analysis, which does 
not guarantee composability and thus does not necessarily allow for string commitments. This 
application can be found in Sect. El 

Application II: Quantum Key Distribution. We also apply our uncertainty relation to quantum 
key distribution (QKD) settings. QKD is the art of distributing a secret key between two 
distant parties, Alice and Bob, using only a completely insecure quantum channel and authentic 
classical communication. QKD protocols typically provide information-theoretic security, i.e., 
even an adversary with unlimited resources cannot get any information about the key. A major 
difficulty when implementing QKD schemes is that they require a low-noise quantum channel. 
The tolerated noise level depends on the actual protocol and on the desired security of the key. 
Because the quality of the channel typically decreases with its length, the maximum tolerated 
noise level is an important parameter limiting the maximum distance between Alice and Bob. 

We consider a model in which the adversary has a limited amount of quantum memory to 
store the information she intercepts during the protocol execution. In this model, we show that 
the maximum tolerated noise level is larger than in the standard scenario where the adversary 
has unlimited resources. For one-way QKD protocols which are protocols where error-correction 
is performed non-interactively (i.e., a single classical message is sent from one party to the 
other), we show the following result: 

QKD Against Quantum- Memory- Bounded Eavesdroppers: Let B be a set of orthonor- 
mal bases of Hi with average entropic uncertainty bound h. Then, a one-way QKD-protocol 
produces a secure key against eavesdroppers whose quantum-memory size is sublinear in the 
length of the raw key at a positive rate as long as the bit-flip probability p of the quantum 
channel fulfills Hbm(p) < h where Ht,i n ( - ) denotes the binary Shannon- entropy function. 

Although this result does not allow us to improve (i.e. compared to unbounded adversaries) 
the maximum error-rate for the BB84 protocol (the four-state protocol), the six-state protocol 
can be shown secure against adversaries with memory bound sublinear in the secret-key length 
as long as the bit-flip error-rate is less than 17%. This improves over the maximal error-rate of 
13% for the same protocol against unbounded adversaries. We also show that the generalization 
of the six-state protocols to more bases (not necessarily mutually unbiased) can be shown secure 
(against memory-bounded adversaries) for a maximal error-rate up to 20% provided the number 
of bases is large enough. Note that the best known one-way protocol based on qubits is proven 
secure against general attacks for an error-rate of only up to roughly 14.1%, and the theoretical 
maximum is 16.3% |29j . 

The quantum-memory-bounded eavesdropper model studied here is not comparable to other 
restrictions on adversaries considered in the literature (e.g. individual attacks, where the eaves- 
dropper is assumed to apply independent measurements to each qubit sent over the quantum 
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channel |18|26| ). In fact, these assumptions are generally artificial and their purpose is to sim- 
plify security proofs rather than to relax the conditions on the quality of the communication 
channel from which secure key can be generated. We believe that the quantum-memory-bounded 
eavesdropper model is more realistic. 

Application III: Key- Uncertainty of Quantum Ciphers. In [15] . symmetric quantum ciphers 
encrypting classical messages with classical secret-keys are considered. It is shown that under 
known-plaintext attacks, the Shannon uncertainty of the secret-key can be much higher for some 
quantum ciphers than for any classical one. The Shannon secret-key uncertainty H(K\C, M) of 
classical ciphers C encrypting messages M of size m with keys K of size k > m is always such 
that H(K\C, M) < k — m. In the quantum case, the Shannon secret-key uncertainty is defined 
as the minimum residual uncertainty about key K given the best measurement (POVM) Pm(C) 
applied to quantum cipher C given plaintext M. Examples of quantum ciphers are provided with 
k = m+1 such that H(K\P M (C)) = m/2+1 and with k = 2m such that R(K\P M (C)) > 2m- 1. 
All ciphers in [15] have their keys consisting of two parts. The first part chooses one basis 
out a set B of bases while the other part is used as a classical one-time-pad. The message is 
first encrypted with the one-time-pad before being rotated in the basis indicated by the first 
part of the key. For one particular cipher encrypting m-bit messages using m + 1 bits of key, 
Theorem 4 in [15] states that the Shannon secret-key uncertainty adds up under repetitions with 
independent and random keys 1 : if 1A(K\Pm(C)) > h then n repetitions with independent keys 
satisfy H(ifi, . . . , K n \PM 1 ,...,M n (C'i) . . . , C n )) > nh. Our uncertainty relation allows to obtain a 
stronger result. The analysis in [15] shows that these quantum ciphers with Shannon secret-key 
uncertainty h satisfy the condition of our uncertainty relation. As result we obtain a lower 
bound on the min-entropy key uncertainty given the outcome of any quantum measurement 
applied to all ciphers and given all plaintexts. When H(K\Pm(C)) > h our uncertainty relation 
tells us that H^^Kx, . . . , K n \PM ± ,...,M n {Ci, ■ ■ ■ , C n )) > nh. Notice that unlike the two previous 
applications, this time the result holds without any restriction on the adversary. 

History and Related Work. The history of uncertainty relations starts with Heisenberg who 
showed that the outcomes of two non-commuting observables A and B applied to any state p 
are not easy to predict simultaneously. However, Heisenberg only speaks about the variance of 
the measurement results. Because his result had several shortcomings (as pointed out in [20)16] ). 
more general forms of uncertainty relations were proposed by Bialynicki-Birula and Mycielski |7J 
and by Deutsch [16] . The new relations were called entropic uncertainty relations, because they 
are expressed using Shannon entropy instead of the statistical variance and, hence, are purely 
information theoretic statements. For instance, Deutsch's uncertainty relation [16] states that 
H(P) + H(Q) > — 21ogi^, where P,Q are random variables representing the measurement 
results and c is the maximum inner product norm between any eigenvectors of A and B. First 
conjectured by Kraus [23], Maassen and Uffink [27] improved Deutsch's relation to the optimal 

H(P)+H(Q) > -21ogc . (2) 

Although a bound on Shannon entropy can be helpful in some cases, it is usually not 
good enough in cryptographic applications. The main tool to reduce the adversary's infor- 
mation — privacy amplification [5|21|4 30 28j — only works if a bound on the adversary's min- 
entropy (in fact collision entropy) is known. Unfortunately, knowing the Shannon entropy of a 
distribution does in general not allow to bound its higher order Renyi entropies. 

An entropic uncertainty relation involving Renyi entropy of order 2 (i.e. collision entropy) 
was introduced by Larsen |25|33| . Larsen's relation quantifies precisely the collision entropy for 

1 The proof of Theorem 4 in [15] is incorrect but can easily be fixed without changing the statement. 
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the set {^4j}j=x of all maximally non-commuting observables, where d is the dimension of the 
Hilbert space. Its use is therefore restricted to quantum coding schemes that take advantage of 
all d+l observables, i.e. to schemes that are difficult to implement in practice. Uncertainty 
relations in terms of Renyi entropy have also been studied in a different context by Bialynicki- 
Birula [6]. 

2 Preliminaries 

2.1 Notation and Terminology 

For any positive integer d, TC^ stands for the complex Hilbert space of dimension d and V(J~Ld) for 
the set of density operators, i.e., positive semi-definite trace-1 matrices, acting on Tid- The pair 
{|0),|1)} denotes the computational or rectilinear or "+" basis for the 2-dimensional Hilbert 
space H.2- The diagonal or "x" basis is defined as {|0) x ,|l) x } where |0) x = (|0) + |l))/v2 
and |l) x = (|0) - |l»/\/2. The circular or "0" basis consists of vectors (|0) + i\l))/y2 and 
(|0) — i\l))/y/2. Measuring a qubit in the + -basis (resp. x -basis) means applying the measure- 
ment described by projectors |0)(0| and |1)(1| (resp. projectors |0) x (0| x and |l) x (l| x ). When 
the context requires it, we write |0) + and |1) + instead of |0) and |1), respectively. If we want to 
choose the + or x-basis according to the bit b £ {0, 1}, we write [+, x]^. 

The behavior of a (mixed) quantum state in a register E is fully described by its density 
matrix pe- We often consider cases where a quantum state may depend on some classical random 
variable X, in that the state is described by the density matrix p x E if and only if X = x. For 
an observer who has access to the state but not X, the behavior of the state is determined by 
the density matrix pe '■= Px(x)p E , whereas the joint state, consisting of the classical X and 
the quantum register E is described by the density matrix pxe '■= ^2 X Px(x)\x)(x\ (g) p E , where 
we understand {|x)} xe ^ to be the standard (orthonormal) basis of 7~l\xy Joint states with such 
classical and quantum parts are called cq- states. We also write px '■= Yl x Px(x)\x)(x\ for the 
quantum representation of the classical random variable X. This notation extends naturally to 
quantum states that depend on several classical random variables (i.e. to ccq-states, cccq-states 
etc.). Given a cq-state pxE as above, by saying that there exists a random variable Y such that 
Pxye satisfies some condition, we mean that pxe can be understood as pxe = ^y(pxye) for 
some ccq-state pxye and that pxye satisfies the required condition. 2 

We would like to point out that pxE = Px Pe holds if and only if the quantum part is 
independent of X (in that p x E = pe for any x), where the latter in particular implies that no 
information on X can be learned by observing only pe- Similarly, X is uniformly random and 
independent of the quantum state in register E if and only if pxe = ■Hprl <8> Pe, where ■hLI is 
the density matrix of the fully mixed state of suitable dimension. Finally, if two states like pxE 
and px Pe are e-close in terms of their trace distance S(p, a) = | tr(|p — a\), which we write as 
Pxe ~e Px Pe, then the real system pxE "behaves" as the ideal system px <8> Pe except with 
probability e in that for any evolution of the system no observer can distinguish the real from 
the ideal one with advantage greater than e [30J . 

2.2 Smooth Renyi Entropy 

We briefly recall the notion of (conditional) smooth min-entropy |28|31| . For more details, we 
refer to the aforementioned literature. Let X be a random variable over alphabet X with dis- 
tribution Px- The standard notion of min-entropy is given by Hoo(X) = — log(max :E Px(x)^j 

2 The quantum version is similar to the case of distributions of classical random variables where given X, the 
existence of a certain Y is understood that there exists a joint distribution Pxy with "}2 y Pxy{-, y) = Px- 
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and that of max-entropy by Ho(X) = log \{x E X : Px{x) > 0}|. More general, for any event £ 
(defined by Ps\x{x) = Pr[£|A = x] for all x E X) H 00 (X<S) may be defined similarly simply by 
replacing Px by Pxs- Note that the "distribution" Pxe is n °t normalized; H OQ (X£) is still well 
defined, though. For an arbitrary e > 0, the smooth version H^ (X) is defined as follows. H^ C (X) 
is the maximum of the standard min-entropy H 00 (X<5), where the maximum is taken over all 
events £ with Pr(£) > 1 — s. Informally, this can be understood that if H^ C (X) = r then the 
standard min-entropy of X equals r as well, except with probability e. As e can be interpreted 
as an error probability, we typically require e to be negligible in the security parameter n. 

For random variables X and Y, the conditional smooth min-entropy H^ C (X | Y) is defined 
as H^ (A 7 ~ | Y) = max£ min^ H OQ (X£ \ Y = y), where the quantification over £ is over all events £ 
(defined by Ps\xy) with Pr(£) > 1 — e. In Sect.El we work with smooth min-entropy conditioned 
on a quantum state. We refer the reader to [2H] for the definition of this quantum version. We 
will make use of the following chain rule for smooth min-entropy [31] , which in spirit was already 
shown in [8]. 

Lemma 2.1. H^ £ '(X | Y) > H^(XY) - H (Y) - log (^) for all e,e' > 0. 
2.3 Azuma's Inequality 

In the following and throughout the paper, the expected value of a real-valued random variable 
R is denoted by K[R]. Similarly, E[i?|£] and Ef^S 1 ] denote the conditional expectation of R 
conditioned on an event £ respectively random variable S. 

Definition 2.2. A list of real-valued random variables R\, . . . , R n is called a martingale dif- 
ference sequence if E[i?j | . . . , Ri-\\ = with probability 1 for every 1 < i < n, i.e., if 
E[i?j | R\ =ri, . . . , Ri-i =Tj_i] = forevery 1 < i < n and all n, . . . , rj_i E R. 

The following lemma follows directly from Azuma's inequality |2|lj . 

Lemma 2.3. Let Ri, . . . ,R n be a martingale difference sequence such that \Ri\ < c for every 
l<i<n. Then, Pr[]T\ R { > An] < exp(-^J) for any A > 0. 

3 The Uncertainty Relation 

We start with a classical tool which itself might be of independent interest. 

Theorem 3.1. Let Z\, . . . , Z n be n (not necessarily independent) random variables over alpha- 
bet Z , and let h > be such that 

R(Zi | Z\ = Zi,. . . ,Zi-x = Zi-t) > h (3) 

for all 1 < i <n and z±, . . . , zi-\ E Z. Then for any < A < \ 

R £ OQ (Z 1 ,...,Z n ) > (h-2X)n , 

where e = exp(- 321og ^ |/A) . ). 

If the Zj's are independent and have Shannon-entropy at least h, it is known (see |31j) that the 
smooth min-entropy of Z\, . . . , Z n is, to good approximation, at least nh for large enough n. 3 
Informally, Theorem 13. II guarantees that when the independence-condition is relaxed to a lower 
bound on the Shannon entropy of Z{ given any previous history, then we still have min-entropy 
of (almost) nh except with negligible probability e. 

3 An even weaker version is the so-called Flattening Lemma |19) . which requires the Zi's to be independent and 
equally distributed, with a given lower bound on the smallest probability. It is in particular this missing lower 
bound that makes our proof technically more involved. 
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Proof (sketch). The idea is to use Azuma's inequality in the form of Lemma 12.31 for cleverly 
chosen R^s. For any i we write Z % := {Z\, . . . , Zi) (with Z° being the "empty symbol"), and 
similarly for other sequences. We want to show that Vv\P Z n(Z n ) > 2~(' l ~ 2A ) n ] < e. By the 
definition of smooth min-entropy, this then implies the claim. Note that P Z n(Z n ) > 2~( /l ~ 2A ) n 
is equivalent to 



n 

£ 

i=i 



log(P 2t|z< -i(Z i |Z i - 1 ))+7») >2Xn 



We set Si-.= \ogP Zi \ Zl -i(Z % \ Z^ 1 ). For such a sequence of real-valued random variables 
Si, . . . , S n , it is easy to verify that R\, . . . , R n where Ri := Si — E[5j | 5 i_1 ] forms a martingale 
difference sequence. If the \Ri\ were bounded by c, we could use Lemma |2~31 to conclude that 



Pr 



jV^-E^ilS*- 1 ]) > An 



i=l 



A 2 n 

- eXpl "2^ 



As by assumption K[Si \ S 1 ^ 1 ] < —h, this would give us a bound similar to what we want to 
show. In order to enforce a bound on \Ri\, Si needs to be truncated whenever P z . | z %-\ [Z\ \ Z 1 ^ 1 ) 
is smaller than some 5 > 0. It is then a subtle and technically involved matter of choosing 5 
and e appropriately in order to finish the proof, as shown in Appendix IA.1L □ 

We now state and prove the new entropic uncertainty relation in its most general form. 
A special case will then be introduced (Corollary 13. 4p and used in the security analysis of all 
protocols we consider in the following. 

Definition 3.2. Let B be a finite set of orthonormal bases in the d- dimensional Hilbert space Tid- 
We call h > an average entropic uncertainty bound for B if every state in 7id satisfies 
]H| ^i?eS H(-Ptf) > h, where P$ is the distribution obtained by measuring the state in basis i9. 

Note that by the convexity of the Shannon entropy H, a lower bound for all pure states in 7id 
suffices to imply the bound for all (possibly mixed) states. 

Theorem 3.3. Let B be a set of orthonormal bases in TCd with an average entropic uncertainty 
bound h, and let p G V(Tif n ) be an arbitrary quantum state. Let & = (6>i, . . . , n ) be uniformly 
distributed over B n and let X = (Xi, . . . , X n ) be the outcome when measuring p in basis 0, 
taking values from {0, . . . , d — l} n . Then for any < A < |, 



H £ oo (A|0)>(/ l -2A)n 



wtfee = exp(- ^ , 



Proof. For i G {1, . . . , n} define Z{ := {Xi, 6>j) and Z l := [Z\, . . . , Zi). Let z % 1 be arbitrary in 
({0,... ,d- 1} x By- 1 . Then 

R(Zi | Z i - 1 = z i - 1 ) = R(Xi | h Z i - l = z i - 1 ) + R(0i | Z* -1 = z i ~ 1 ) >h + log \B\ , 

where the inequality follows from the fact that <9j is chosen uniformly at random and from the 
definition of h. Note that h lower bounds the average entropy for any system in 7id, and thus 
in particular for the i-ih subsystem of p, with all previous d-dimensional subsystems measured. 
Theorem 13.11 thus implies that R £ oo {X0) > (h + log \B\ — 2A)n for any < A < \ and for e as 
claimed. We conclude that 

H^(X|0)>H^(X0)-nlog|£| > (h-2X)n , 
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where the first inequality follows from the equality 

Pxe\e{x\0) = Pxee{x,e)/Pe{9) = \B\ n ■ P xee (x,9) 

for all x and 9 and any event £ , and from the definition of (conditional) smooth entropy. □ 

For the special case where B = {+, x} is the set of BB84 bases, we can use the uncertainty 
relation of Maassen and Ufhnk [27] (see ([2]) with c = l/y/2), which, using our terminology, 
states that B has average entropic uncertainty bound h = \ . Theorem 13.31 then immediately 
gives the following corollary. 

Corollary 3.4. Let p G V(TLf n ) be an arbitrary n-qubit quantum state. Let be uniformly 
distributed over {+, x} n , and let X be the outcome when measuring p in basis O. Then for any 
< A < \, 

WJX\0)> (|-2A)n 

^er eg = exp(- 32(2 _ A ^ (A))2 ). 

Maassen and Uffink's relation being optimal means there exists a quantum state p — namely 
the product state of eigenstates of the subsystems, e.g. p = |0)(0|® n — for which H(X \G) = 
On the other hand, we have shown that (^ — \)n < H^ C (X | 0) for A > arbitrarily close 
to 0. For the product state p, the X^s are independent and we know from [31] that in this 
case H^ C (X | 0) approaches H(A | (9) = ^. It follows that the relation cannot be significantly 
improved even when considering Renyi entropy of lower order than min-entropy (but higher 
than Shannon entropy). 

Another tight corollary is obtained if we consider the set of measurements B = {+, x,0}. 
In [32], Sanchez-Ruiz has shown that for this B the average entropic uncertainty bound h = | 
is optimal. It implies that ~R £ 00 {X\0) w H(X\0) = ^ for negligible e. In Appendix IB"! we 
compute the average uncertainty bound for the set of all bases of a d-dimensional Hilbert space. 

4 Application: Oblivious Transfer 

4.1 Privacy Amplification and a Min-Entropy-Splitting Lemma 

Recall, a class T of hash functions from, say, {0, l} n to {0, l} £ is called two-universal [9136] if 
Pt[F(x) = F(x')] < 1/2^ for any distinct x,x' G {0, l} n and for F uniformly distributed over J-. 

Theorem 4.1 (Privacy Amplification |30,28j). Let e > 0. Let Pxue be a ccq-state, where 
X takes values in {0, l} n , U in the finite domain U and register E contains q qubits. Let F be 
the random and independent choice of a member of a two-universal class of hash functions T 
from {0, l} n into {0,l} e . Then, 

S(PF(X)FUE, £l ® PFUE) < \ + 2£ . (4) 

The theorem stated here is slightly different from the version given in |30)28j in that the classical 
and the quantum parts of the adversary's knowledge are treated differently. A derivation of the 
above theorem starting from the result in [28J is given in Appendix IA. 21 

A second tool we need is the following Min-Entropy-Splitting Lemma. Note that if the joint 
entropy of two random variables Xq and X\ is large, then one is tempted to conclude that at 
least one of Xq and X\ must still have large entropy, e.g. half of the original entropy. Whereas 
this is indeed true for Shannon entropy, it is in general not true for min-entropy. The following 
lemma, though, which appeared in a preliminary version of [38] . shows that it is true in a 
randomized sense. For completeness, the proof can be found in Appendix IA.3I 
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Lemma 4.2 (Min-Entropy-Splitting Lemma). Let e > 0, and let Xq,X\ be random vari- 
ables (over possibly different alphabets) withH^^XoXi) > a. Then, there exists a binary random 
variable C over {0, 1} such that H^ (Xi_cC) > a/2. 

The corollary below follows rather straightforwardly by noting that (for normalized as well 
as non-normalized distributions) H. 00 (XqX\ | Z) > a holds exactly if H^^XoXi \ Z = z) > a for 
all z, applying the Min-Entropy-Splitting Lemma, and then using the Chain Rule, Lemma l2.11 

Corollary 4.3. Let e > 0, and let Xq, X\ and Z be random variables (over possibly different 
alphabets) such that H^^XqXi \Z) > a. Then, there exists a binary random variable C over 
{0, 1} such that R 6 + 6 ' (X^ c I ZC) > a/2-1- log(l/e') for any e' > 0. 

4.2 The Definition 

In 1-2 OT l , the sender Alice sends two £-bit strings So, Si to the receiver Bob in such a way 
that Bob can choose which string to receive, but does not learn anything about the other. On 
the other hand, Alice does not get to know which string Bob has chosen. The common way to 
build 1-2 OT e is by constructing a protocol for (Sender-)Randomized 1-2 OT e , which then can 
easily be converted into an ordinary 1-2 OT^ (see, e.g., [II])- Rand 1-2 OT £ essentially coincides 
with ordinary 1-2 OT^, except that the two strings Sq and S\ are not input by the sender but 
generated uniformly at random during the protocol and output to the sender. 

For the formal definition of the security requirements of a quantum protocol for Rand 1-2 OT e , 
let us fix the following notation: Let C denote the binary random variable describing receiver 
R's choice bit, let So, Si denote the £-bit long random variables describing sender S's output 
strings, and let Y denote the £-bit long random variable describing R's output string (supposed 
to be Sc)- Furthermore, for a fixed candidate protocol for Rand 1-2 OT^, and for a fixed input 
distribution for C, the overall quantum state in case of a dishonest sender S is given by the 
ccq-state p CY s- Analogously, in the case of a dishonest receiver R, we have the ccq-state Pg g^- 

Definition 4.4 (Rand 1-2 OT^). An e-secure Rand 1-2 OT e is a quantum protocol between 
S and R, with R having input C G {0, 1} while S has no input, such that for any distribution of 
C , ifS and R follow the protocol, then S gets output Sq, S\ G {0, 1} and R gets Y = Sc, except 
with probability e, and the following two properties hold: 

e-Receiver-security: // R is honest, then for any S, there exist random variables S' , S[ such 

that Pr[Y = S' c ] > 1 - e and S(p cs{>s ^,PC ® P S ' s{s) ^ £ - 
e-Sender-security: If S is honest, then for any R, there exists a binary random variable C 

such that S{p Si _ cfSciC , k , ® P Sc , c , k ) < e. 

If any of the above holds for e = 0, then the corresponding property is said to hold perfectly. // 
one of the properties only holds with respect to a restricted class S of S's respectively 9^ of R 's, 
then this property is said to hold and the protocol is said to be secure against S respectively 9\. 

Receiver-security, as defined here, implies that whatever a dishonest sender does is as good 
as the following: generate the ccq-state p s , s ,§ independently of C, let R know S' c , and output 
Pg. On the other hand, sender-security impfies that whatever a dishonest receiver does is as good 
as the following: generate the ccq-state p s c ,^, let S know Sc and an independent uniformly 
distributed Si-c"i an d output p^. In other words, a protocol satisfying Definition 14.41 is a secure 
implementation of the natural Rand 1-2 OT^ ideal functionality, except that it allows a dishonest 
sender to influence the distribution of So and Si, and the dishonest receiver to influence the 
distribution of the string of his choice. This is in particular good enough for constructing a 
standard 1-2 OT^ in the straightforward way. 
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We would like to point out the importance of requiring the existence of S' and S[ in the 
formulation of receiver-security in a quantum setting: requiring only that the sender learns 
no information on C, as is sufficient in the classical setting (see e.g. |l(Jj). does not prevent a 
dishonest sender from obtaining So, Si by a suitable measurement after the execution of the 
protocol in such a way that he can choose So © Si at will, and Sc is the string the receiver has 
obtained in the protocol. 

4.3 The Protocol 

We introduce a quantum protocol for Rand 1-2 OT^ that will be shown perfectly receiver-secure 
against any sender and e-sender-secure against any quantum-memory-bounded receiver for a 
negligible e. The first two steps of the protocol are identical to Wiesner's "conjugate coding" 
protocol [37j from circa 1970 for "transmitting two messages either but not both of which may 
be received". 

The simple protocol is described in Fig. [H where for x £ {0, l} n and / C {1, . . . ,n} we 
define x\i to be the restriction of x to the bits X{ with % £ I. The sender S sends random BB84 
states to the receiver R, who measures all received qubits according to his choice bit C. S then 
picks randomly two functions from a fixed two-universal class of hash functions T from {0, l} n 
to {0, 1}^, where I is to be determined later, and applies them to the bits encoded in the + 
respectively the bits encoded in x -basis to obtain the output strings So and Si. Note that we 
may apply a function / G J- to a n'-bit string with n' < n by padding it with zeros (which 
does not decrease its entropy). S announces the encoding bases and the hash functions to the 
receiver who then can compute Sc- Intuitively, a dishonest receiver who cannot store all the 
qubits until the right bases are announced, will measure some qubits in the wrong basis and 
thus cannot learn both strings simultaneously. 



Rand 1-2 QOT : Let c be R's choice bit. 

1. S picks x £r {0, 1}™ and 6 £r {+, x}™, and sends |a>i) ei , \%2) g , ■ • ■ , \%n)g n to R. 

2. R measures all qubits in basis [+, x] c . Let x £ {0, 1}™ be the result. 

3. S picks two hash functions /o,/i &r J~, announces 8 and /o,/i to R, and outputs so := /o(^|/ ) an d 
si := f\{x\i l ) where I b := {i : 9i=[+, x] b }. 

4. R outputs s c = fc(x'\i c ). 

Fig. 1. Quantum Protocol for Rand 1-2 OT t . 

We would like to stress that although protocol description and analysis are designed for 
an ideal setting with perfect noiseless quantum communication and with perfect sources and 
detectors, all our results can easily be extended to a more realistic noisy setting along the same 
lines as in |13j . 

It is clear by the non-interactivity of Rand 1-2 QOT^ that a dishonest sender cannot learn 
anything about the receiver's choice bit. Below, we show Rand 1-2 QOT^ perfectly receiver- 
secure according to Definition 14.4) the idea, though, simply is to have a dishonest S execute the 
protocol with a receiver that has unbounded quantum memory and that way can compute S' 
and S[. 

Proposition 4.5. Rand 1-2 QOT^ is perfectly receiver- secure. 

Proof. Recall, the ccq-state p CY s ^ s defined by the experiment where S interacts with the honest 
memory-bounded R. We now define (in a new Hilbert space) the ccccq-state Pcys's'S a 
slightly different experiment: We let S interact with a receiver with unbounded quantum memory, 
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which waits to receive 6 and then measures the i-th. qubit in basis 0j for i = 1, . . . , n. Let X be 
the resulting string, and define S' Q = fo(X\i ) and S[ = f\(X\[ 1 ). Finally, sample C according 
to Pc and set Y = S' c . It follows by construction that Pr [Y/S^] = and p^ is independent 
of £>§'§'<•■ It remains to argue that Pq Y s = ^CYS' so ^ na ^ corresponding S' and S[ also exist 
in the original experiment. But this is obviously satisfied since the only difference between the 
two experiments is when and in what basis the qubits at position i G I\-c are measured, which 
does not affect p CY s respectively Pqys- 

We model dishonest receivers in Rand 1-2 QOT^ under the assumption that the maximum 
size of their quantum storage is bounded. Such adversaries are only required to have bounded 
quantum storage when Step [3] in Rand 1-2 QOT^ is reached; before and after that, the adversary 
can store and carry out arbitrary quantum computations involving any number of qubits. Let 
9\ q denote the set of all possible quantum dishonest receivers R in Rand 1-2 QOT^ which have 
quantum memory of size at most q when step [3] is reached. We stress once more that apart 
from the restriction on the size of the quantum memory available to the adversary, no other 
assumption is made. In particular, the adversary is not assumed to be computationally bounded 
and the size of his classical memory is not restricted. 

Theorem 4.6. Rand 1-2 QOT £ is e -sender- secure against 9\ q for a negligible (in n) e if n/A — 
2t-q G Q{n). 

For improved readability, we merely give a sketch of the proof; the formal proof that takes care 
of all the e's is given in Appendix IA.41 

Proof (sketch). It remains to show sender-security. Let X be the random variable that describes 
the sender's choice of x, where we understand the distribution of X to be conditioned on the 
classical information that R obtained by measuring all but 771 qubits. A standard purification 
argument, that was also used in [13], shows that the same X can be obtained by measuring a 
quantum state in basis 9 Gr {+, x} n , described by the random variable 0: for each qubit \xi) g . 
the sender S is instructed to send to R, S instead prepares an EPR pair \<P) = -L(|00) + |11)) 
and sends one part to R while keeping the other, and when Step [3] is reached, S measures her 
qubits. 

The uncertainty relation, Theorem 13.41 implies that the smooth min-entropy of X given 
is approximately n/2. Let now Xq and X\ be the two substrings of X consisting of the bits 
encoded in the basis + or x, respectively. Then the Min-Entropy-Splitting Lemma, or, more 
precisely, Corollary 14.31 implies the existence of a binary C' such that X\_c' h as approximately 
n/A bits of smooth min-entropy given and C . From the random and independent choice of 
the hash functions Fq,Fi and from the Chain Rule, Lemma |2.1| it follows that X\—qi has still 
about n/A — i bits of smooth min-entropy when conditioning on 0, C, Fq 1 and Fc(Xc). The 
Privacy Amplification Theorem 14.11 then guarantees that Si—c = ^1— c(-Xi— c) is close to 
random, given 0, C, Fc, Sc, F\-c' an d R's quantum state of size q, if re/4 — 21 — q is positive 
and linear in re. □ 

We note that by adapting recent and more advanced techniques [38] to the quantum case, the 
security of Rand 1-2 QOT^ can be proven against if n/A — I — q G Q(n). 

5 Application: Quantum Bit Commitment 

The binding criterion for classical commitments usually requires that after the committing phase 
and for any dishonest committer, there exists a unique bit b' G {0, 1} that can only be opened 
with negligible probability. In the quantum world, this approach appears to be problematic 
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since if the commitment is unconditionally concealing, the committer can place himself in a 
superposition of committing to and 1 and only later make a measurement that fixes the 
choice. For this reason, the previous standard approach (see e.g. [T7]) was to use a weaker 
binding condition only requiring that the probabilities po and p\ (to successfully open 6 = 
and 6 = 1 respectively), satisfy po + p\ < 1. The bit commitment scheme proposed in |13j was 
shown to be binding in this weak sense. However, we argue that this weak notion is not really 
satisfactory. A shortcoming of this notion is that committing bit by bit is not guaranteed to yield 
a secure string commitment — the argument that one is tempted to use requires independence 
of the p^s between the different executions, which in general does not hold. 

We now argue that this notion is unnecessarily weak, at least in some cases, and in particular 
in the case of commitments in the bounded-quantum-storage model where the dishonest com- 
mitter is forced to do some partial measurement and where we assume honest parties to produce 
only classical output (by measuring their entire quantum state). Technically, this means that 
for any dishonest committer C, the joint state of the honest verifier and of C after the commit 
phase is a ccq-state P VZ q = Ylv z Pvz(v, z)\v)(v\ (g) \z)(z\ (g> p"^ z , where the first register contains 
the verifier's (classical) output and the remaining two registers contain C's (partially classical) 
output. We propose the following definition. 

Definition 5.1. A commitment scheme in the bounded- quantum- storage model is called e- 
binding, if for every (dishonest) committer C, inducing a joint state P VZ q after the commit 
phase, there exists a classical binary random variable B' , given by its conditional distribution 
Pb'\vz! such that for 6 = and 6 = 1 the state P VZ q = Ylv Pvz\B'( v > z \°)\ v )( v \ (g) \z)(z\ <8> p v ^ z 
satisfies the following condition. When executing the opening phase on the state P v ^, for any 
strategy of C, the honest verifier accepts an opening to 1 — 6 with probability at most e. 

It is easy to see that the binding property as defined here implies the above discussed weak 
version, namely pb < P B '(b) + P B '(^ — b)e an d thus po +p\ < 1 + e. Furthermore, it is straight- 
forward to see that this stronger notion allows for a formal proof of the obvious reduction of a 
string to a bit commitment by committing bit-wise: the i-th execution of the bit commitment 
scheme guarantees a random variable B[, defined by Ps'-WiZi sucn that the committer cannot 
open the i-th bit commitment to 1 — B[, and thus there exists a random variable S' , namely 
S' = (B[, . . . , B' m ) defined by P B [-B' m \Vi-V m z = Ui P B[\v t z, such that for any opening strategy, 
the committer cannot open the list of commitments to any other string than S'. 

We show in the following that the quantum bit-commitment scheme from |13j fulfills the 
stronger notion of binding from Definition 15.11 above. For convenience, the protocol COMM is 
reproduced in Fig. [2] below. Let <t q denote the set of all possible quantum dishonest committers 
C in COMM which have quantum memory of size at most q at the start of the opening phase 
(step [3]). Then the following holds. 

Theorem 5.2. The quantum bit- commitment scheme COMM is e-binding according to Defini- 
tion \5.1\ against <L q for a negligible (in n) £ ifn/4 — q E Q(n). 



COMM: Let b be the bit C want to commit to. 

1. V picks x Gr {0, l} n and {+, x} n , and sends |a;i) ei , \x2) e2 , ■ ■ ■ , \%n)g n to C. 

2. C measures all qubits in basis [+, x]f, to commit to b. Let x' € {0, 1}" be the result. 

3. To open the commitment, C sends b and x to V. 

4. V accepts if and only if Xi — x\ for all those i where 6i = [+, x]b. 

Fig. 2. Protocol COMM for commitment. 
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Proof (Sketch). By considering a purified version of the scheme and using the uncertainty re- 
lation, one can argue that X has (smooth) min-entropy about n/2 given 0. The Min-Entropy- 
Splitting Lemma implies that there exists B' such that X\_b> has smooth min-entropy about 
n/4 given and B' . Privacy amplification implies that F{X±-b') is close to random given 
0,B',F and C's quantum register of size q, where F is a two-universal one-bit-output hash 
function. This implies that C cannot guess X\-b' except with small probability. □ 

6 Application: Quantum Key Distribution 

Let B be a set of orthonormal bases on a Hilbert space 7i.d, and assume that the basis vectors of 
each basis •& € B are parametrized by the elements of some fixed set X. We then consider QKD 
protocols consisting of the steps described in Fig. [3J Note that the quantum channel is only used 
in the preparation step. Afterwards, the communicationbetween Alice and Bob is only classical 
(over an authentic channel). 



One- Way QKD: lot N G N be arbitrary 

1. Preparation: For i — 1...N, Alice chooses at random a basis £ B and a random element Xi £ X. 
She encodes Xi into the state of a quantum system (e.g., a photon) according to the basis -&i and sends 
this system to Bob. Bob measures each of the states he receives according to a randomly chosen basis 
i?i and stores the outcome Yi of this measurement. 

2. Sifting: Alice and Bob publicly announce their choices of bases and keep their data at position i only if 
$i — In the following, we denote by X and Y the concatenation of the remaining data Xi and Yi, 
respectively. X and Y are sometimes called the sifted raw key. 

3. Error correction: Alice computes some error correction information C depending on X and sends C to 
Bob. Bob computes a guess X for Alice's string X, using C and Y. 

4. Privacy amplification: Alice chooses at random a function / from a two-universal family of hash functions 
and announces / to Bob. Alice and Bob then compute the final key by applying / to their respective 
strings X and X. 

Fig. 3. General form for one-way QKD protocols. 

As shown in [28] (Lemma 6.4.1), the length I of the secret key that can be generated in the 
privacy amplification step of the protocol described above is given by 

*»HUY|£)-Ho(C) , 

where E denotes the (quantum) system containing all the information Eve might have gained 
during the preparation step of the protocol and where Ho(C) is the number of error correction 
bits sent from Alice to Bob. Note that this formula can be seen as a generalization of the well 
known expression by Csiszar and Korner for classical key agreement |llj . 

Let us now assume that Eve's system E can be decomposed into a classical part Z and a 
purely quantum part F . Then, using the chain rule (Lemma 3.2.9 in |28j), we find 

e « H^X | ZE-) - H (C) > H^X | Z) - Ho(£0 - H (C) . 

Because, during the preparation step, Eve does not know the encoding bases which are chosen at 
random from the set B, we can apply our uncertainty relation (Theorem l3.3p to get a lower bound 
for the min-entropy of X conditioned on Eve's classical information Z, i.e., H^ (X | Z) > Mh, 
where M denotes the length of the sifted raw key X and h is the average entropic uncertainty 

4 The approximation in this and the following equations holds up to some small additive value which depends 
logarithmically on the desired security e of the final key. 
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bound for B. Let q be the bound on the size of Eve's quantum memory E > . Moreover, let e be 
the average amount of error correction information that Alice has to send to Bob per symbol 
of the sifted raw key X. Then I > M(h — e) — q . Hence, if the memory bound only grows 
sublinearly in the length M of the sifted raw key, then the key rate, i.e., the number of key bits 
generated per bit of the sifted raw key, is lower bounded by 

rate > h — e . 

The Binary- Channel Setting. For a binary channel (where H has dimension two), the average 
amount of error correction information e is given by the binary Shannon entropy 5 Hb m (p) = 
— (plog(p) + (1 — p) log(l — £>)), where p is the bit-flip probability of the quantum channel (for 
classical bits encoded according to some orthonormal basis as described above). The achievable 
key rate of a QKD protocol using a binary quantum channel is thus given by ratet>mary > 
h — Hbi n (p). Summing up, we have derived the following theorem. 

Theorem 6.1. Let B be a set of orthonormal bases of Ti.2 with average entropic uncertainty 
bound h. Then, a one-way QKD-protocol as in Fig. ^produces a secure key against eavesdroppers 
whose quantum- memory size is sublinear in the length of the raw key (i.e., sublinear in the 
number of qubits sent from Alice to Bob) at a positive rate as long as the bit-flip probability p 
fulfills H bin (p) < h. 

For the BB84 protocol, we have h = \ and Hbm(p) < \ is satisfied as long as p < 11%. This 
bound coincides with the known bound for security against an unbounded adversary. So, the 
memory-bound does not give an advantage here. 6 

The situation is different for the six-state protocol where h = |. In this case, security 
against memory-bounded adversaries is guaranteed (i.e. Hbi n (p) < §) as long as p < 17%. If 
one requires security against an unbounded adversary, the threshold for the same protocol lies 
below 13%, and even the best known QKD protocol on binary channels with one-way classical 
post-processing can only tolerate noise up to roughly 14.1% [29J. It has also been shown that, 
in the unbounded model, no such protocol can tolerate an error rate of more than 16.3%. 

The performance of QKD protocols against quantum-memory bounded eavesdroppers can 
be improved further by making the choice of the encoding bases more random. For example, 
they might be chosen from the set of all possible orthonormal bases on a two-dimensional 
Hilbert space. As shown in Appendix [Bl the average entropic uncertainty bound is then given 
by h 0.72 and Hbm(p) < 0.72 is satisfied if p < 20%. For an unbounded adversary, the 
thresholds are the same as for the six-state protocol (i.e., 14.1% for the best known one-way 
protocol). 

7 Open Problems 

It is interesting to investigate whether the uncertainty relation (Theorem 13. 3D still holds if 
the measurement bases (0±, . . . , n ) are randomly chosen from a relatively small subset of B n 
(rather than from the entire set B n ). Such an extension would reduce the amount of randomness 
that is needed in applications. In particular, in the context of QKD with quantum-memory- 
bounded eavesdroppers, it would allow for more efficient protocols that use a relatively short 
initial secret key in order to select the bases for the preparation and measurement of the states 
and, hence, avoid the sifting step. 

5 This value of e is only achieved if an optimal error-correction scheme is used. In practical implementations, 
the value of e might be slightly larger. 

6 Note, however, that the analysis given here might not be optimal. 
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Another open problem is to consider protocols using higher-dimensional quantum systems. 
The results described in App endix iBl show that for d-dimensional systems, the average entropic 
uncertainty bound converges to logd for large d. The maximal tolerated channel noise might 
thus be higher for such protocols (depending on the noise model for higher-dimensional quantum 
channels). 
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A Proofs 

A.l Proof of Theorem 13.11 (Uncertainty Relation) 

Define Z l : = [Z\, . . . , Zj) for any i E {1, . . . , n}, and similarly for other sequences. We want 
to show that Pr [P Z n(Z n ) > 2-( /l ~ 2A ) n ] < s for e as claimed in Theorem EU This means that 
Pz^{z n ) is smaller than 2~(' l_2A ) n except with probability at most e (over the choice of z n ), and 
therefore implies the claim H^ yo {Z n ) > (h — 2A)n by the definition of smooth min-entropy. Note 
that P z ™(Z n ) > 2"( ft - 2A ) n is equivalent to 



n 

E 

i=l 



log(P Z! | Zl -i(Z i |Z i - 1 )) +h) > 2\n 



(5) 



which is of suitable form to apply Azuma's inequality (Lemma 12. 3p . 

Consider first an arbitrary sequence S\ , . . . , S n of real- valued random variables. We assume 
the Si's to be either all positive or all negative. Define a new sequence R\, . . . ,R n of random 
variables by putting Ri := Si — K[Si | S 1 ^ 1 ]. It is straightforward to verify that E[J2j | R l ~ l \ = 0, 
i.e., R\, . . . , R n forms a martingale difference sequence. Thus, if |Sj| < c for some c (and any i), 
and thus \Ri\ < c, Azuma's inequality guarantees that 



Pr 



^(Si-ElSilS*- 1 



i=l 



> Xn 



< 



exp 



2c 2 



(6) 
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We now put Si := log P z . \ Z i-\(Zi\ Z l 1 ) for i = l,...,n. Note that Si,...,S n < 0. It is 
easy to see that the bound on the conditional entropy of Zi from Theorem 13.11 implies that 
EfSj | S*- 1 ] < -h. Indeed, for any z^ 1 e Z*~ l , we have E[logP^. , Z i-i(Zi \ Z^ 1 ) \ Z^ 1 = 
z l ~ 1 ~\ = — H{Zi | Z % ~ 1 = z % ~ 1 ) < —h, and thus for any subset £ of and in particular for 

the set of z % ~ ll s which map to a given it holds that 

Ef^l^Gf] = Pzi-i\zi-iee(z i - 1 )-®[tegP Zilzi -i(Z i \Z i - 1 )\Z i - 1 =z i - 1 ] 

<-h. (7) 



As a consequence, the bound on the probability of © in particular bounds the probability of 
the event ([5]), even with An instead of 2Xn. A problem though is that we have no upper bound 
c on the |Sj|'s. Because of that we now consider a modified sequence Si,...,S n defined by 
Si := log P z . I Z i-i (Zi | Z l ~ l ) if P z . \ Z i-\{Zi | Z l ~ l ) > 6 and Si := otherwise, where 5 > will 
be determined later. This gives us a bound like ([6]) but with an explicit c, namely c = log(l/<5). 
Below, we will argue that E[S*j | 5" 1-1 ] — E[Sj | S** -1 ] < A by the right choice of 8; the claim then 
follows from observing that 

S, -E^ilS'- 1 ] > Si -Evils'- 1 ] 

> Si-ElSilS'- 1 ] - A 

> Si + h - X, 

where the last inequality follows from ([7]). Regarding the claim E[£j | — E[5j | < A, 

using a similar argument as for ([7]), it suffices to show that E[Si | Z 1 ' 1 = z l_1 ] — E[Si \ Z 1 ^ 1 = 
< A for any z 1 ^ 1 : 

E[S Z | Z-W- 1 ] -E[Si\ Z i ~ 1 = z i ~ 1 ] = -J2 P Zi\zi-^i I z i - 1 )log(P z . lzi - l (z i \ z^ 1 )) 

< \Z\Slog(l/S) 

where the summation is over all z,- L £ Z with Pzaz^" 1 ^ I z J_1 ) < 8, and where the inequality 
holds as long as 5 < 1/e, as can easily be verified. Thus, we let < 5 < 1/e be such that 
\Z\5 log(l/(5) = A. Using Lemma lA.ll below, we have that 5 > 4 log (|^|/A) anc ^ derive that 
c 2 = log(l/e)) 2 = X 2 /(5\Z\) 2 < 161og(|i?|/A) 2 , which gives us the claimed bound e on the 
probability. □ 

Lemma A.l. For any < x < 1/e such that y := xlog(l/x) < 1/4, it holds that x > ^^rny) • 

Proof. Define the function x \— > f(x) = xlog(l/a;). It holds that f'(x) = = log(l/x) — 

loge, which shows that / is bijective in the interval (0, 1/e), and thus the inverse function 
f~ 1 {y) is well defined for y £ (0, log(e)/e), which contains the interval (0,1/4). We are going 
to show that / _1 (y) > g{y) for all y G (0, 1/4), where g{y) = 4lo ^ 1/y y Since both f~ l {y) and 

g(y) converge to for y — > 0, it suffices to show that ^/ _1 (y) > ^g(y)', respectively, we will 
compare their reciprocals. For any x G (0, 1/e) such that y = f(x) = xlog(l/x) < 1/4 



dy 

and 



d * : = f\r\y)) = log(l/x) - log(e) 



d , , if i i 



dy^"' 4Vlog(l/y) ln(2)log(l/y) 2 
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such that 



ln(2)lo g (l/ y)2 =4 log(iy >21og ^ =2lQg ^ 1 



A g (y) ln(2)log(l/y) + l l + ln{2)l l g{1/y) & V~ & Vxlog(l/x); 

= 2(log(l/x)-loglog(l/x)) 

where for the inequality we are using that y < 1/4 so that ln(2) log(l/y) > 21n(2) = ln(4) > 1. 
Defining the function 

h(z) := z — 2 log(z) + log(e) 
and showing that h{z) > for all z > finishes the proof, as then 

< fc(log(l/x)) < ^— - d / 

which was to be shown. For this last claim, note that h{z) — ► oo for z — > and for z — > oo, 
and thus the global minimum is at zo with h'(zo) = 0. /i'(z) = 1 — 2/(ln(2)z) and thus zq = 
2/ln(2) = 21og(e), and hence the minimum of h(z) equals h(zo) = 31og(e) — 2 log (2 log(e)) , 
which turns out to be positive. 

A. 2 Proof of Theorem 14.11 (Privacy Amplification With Classical Conditioning) 



In this section, we adopt the slightly more advanced notation from [28] in order to derive The- 
orem HJ] from Corollary 5.6.1 in [28J. In our case, the quantum register B from Corollary 5.6.1 
consists of a classical part U and a quantum part E. Denoting by cjq the fully mixed state on 
the image of pq , we only need to consider the term in the exponent to derive Theorem 14.11 as 
follows 

R min(pXUQ I UQ) > R £ min {p X UQ I PU ® <Tq) 

>^mm(PXUQ\Pu)-Hma, x (PQ) ( 8 ) 
> R 6 mm(pXU I PU) ~ H max (p Q ) (9) 

= W OQ (X\U)-q. 

The first inequality follows by Definition 3.1.2 in |28j of as supremum over all o\jq- Inequal- 
ity (JE]) is the chain rule for smooth min-entropy (Lemma 3.2.9 in [28J). Inequality uses that 
the smooth min-entropy cannot decrease when dropping the quantum register which is proven 
in Lemma lA.31 below. The last step follows by observing that the quantum quantities defined 
in [28] correspond to the notions used in this paper accordingly (see Remark 3.1.4 in |28j). □ 

Lemma A. 2. Let pxuQ £ V(Hx (8) W-u (8) Hq) be classical on Hx <8> Hu- Then 

H-mmiPXUQ I Pu) > H-min(pxU I Pu)- 

Proof. For A := 2~ n ^{pxu I pu) ; we have by Definition 3.1.1 in [2S] that A • Ix <8> Pu ~ Pxu > 0. 
Using that both X and U are classical, we derive that for all x, u, it holds A • p u — p xu > 0, 
where p u and p xu are shortcuts for the probabilities Pjj(u) and Pxu{ x , u )- Let the normalized 
conditional operator ~p~Q U be defined as in Sect. 2.1.3 of [28]. Then, 

A • PuPq" <8> \xu)(xu\ — PxuPq U ® \xu)(xu\ > 0. 



18 



Because of < Iq , we get 

A • p u Iq <g> |xu)(xu| -p xu ~pQ U ® \xu)(xu\ > 0. 

Therefore, it holds X-Iqx®Pu—Pqxu > 0, from which follows by definition that H m m(pxuQ I Pu) > 
-log(A). 

Lemma A. 3. Let pxi/Q G (8) W[/ <8> Wq) 6e classical on Hx ® T~Cu and let e > 0. T/ien 

H min(PX[/Q | Pu) > ^miniPXU I Pu)- 

Proof. After Remark 3.2.4 in [28J, there exists <txc/ G B e {pxu) classical on (&TLu such that 
Hmin (pxi/ I Pu) = H m i n ((Tx(7 | o-jj). Because both X and U are classical, we can write axu = 
Y^ x u Pxu\xu)(xu\ and extend it to obtain axuQ '■= Yl x u Pxu\xu)(xu\ (gipg". Lemma [A. 21 above 
yields H min (a X u I ft/) < H min (crxi/Q I o"cr). We have by construction that 5(axuQ, Pxuq) = 
K a XUiPxu) < £• Therefore, oxt/Q G B £ (pxuq) and H min (crxf/Q | erf/) < H^ in (pxc/Q | Pi/)- 

A. 3 Proof of Lemma 14.21 (Min-Entropy-Splitting Lemma) 

In the following, we give the proof for e = 0, i.e., for ordinary (non-smooth) min-entropy. The 
general claim for smooth min-entropy follows immediately by observing that the same argument 
also works for non- normalized distributions with a total probability smaller than 1. 

We extend the probability distribution Px Xi as follows to Px Q XiC- Let C = 1 if Px^iXi) > 
2~ a / 2 and C = otherwise. We have that for all x%, PxiC( x i, 0) either vanishes or is equal to 
Px t {xi). In any case, P Xl c{xi,0) < 2~ a l 2 . 

On the other hand, for all x\ with Px\c{ x \i 1) > 0, we have that Pxic( x ij 1) = Pxi( x i) > 
2~ a / 2 and therefore, for all xq, 

P Xo x 1 c(xo,x 1 ,l) < 2- a = 2- a / 2 ■ 2- a / 2 < 2- a / 2 P Xl (xi). 

Summing over all x\ with Px Xxc{xq, x%, 1) > 0, and thus with Pxic(x\, 1) > 0, results in 

Px c(xoA) < Y, 2 ' a/2p xAxi) < 2- a ' 2 . 

xi 

This shows that Px 1 _ c c(x,c) < 2~ a l 2 for all x, c. 

A. 4 Proof of Theorem 14.61 (Sender-Security of the OT Scheme) 

First, we consider a purified version of Rand 1-2 QOT^, EPR Rand 1-2 QOT^ in Fig. [H where for 
each qubit \xi) e . the sender S is instructed to send to the receiver, S instead prepares an EPR 
pair |$) = i (|00) + |11)), and sends one part to the receiver while keeping the other. Only 
when Step [3] is reached and R's quantum memory is bound to jn qubits, S measures her qubits 
in basis 9 Gjj {+, x} n . It is easy to see that for any R, EPR Rand 1-2 QOT^ is equivalent to 
the original Rand 1-2 QOT^, and it suffices to prove sender-security for the former. Indeed, S's 
choices of 6 and /o, /i, together with the measurements all commute with R's actions. Therefore, 
they can be performed right after Step 1 with no change for R's view. Modifying EPR Rand 1-2 
QOT^ that way results in Rand 1-2 QOT^. A similar approach was used in |13j . or in [M] in the 
context of the BB84 quantum key distribution scheme. 

Consider the common quantum state in EPR Rand 1-2 QOT * after R has measured all but 
of his qubits. Let X be the random variable that describes the outcome of the sender measuring 
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EPR Rand 1-2 QOT : 

1. S prepares n EPR pairs each in state J?) = -i=(|00) + |11)), and sends one half of each pair to R and 
keeps the other halves. 

2. R measures all qubits in basis [+, x] c . Let x £ {0, 1}™ be the result. 

3. S picks random 8 6_r {+, x} n , and she measures the ith qubit in basis 9i. Let x £ {0, l} n be the outcome. 
S picks two hash functions /o,/i &r T, announces 9 and /o,/i to R, and outputs so := /oOe|j ) an( A 
si := fi(x\i t ) where h ■= {i : 0i = [+, x] b }. 

4. R outputs s c = fc{x'\i a ). 

Fig. 4. Protocol for EPR-based Rand 1-2 OT l . 



her part of the state in random basis (9, and let E be the random state that describes R's 
part of the state. Also, let Fn and F± be the random variables that describe the random and 
independent choices of fo, f\ E T . Finally, let be = X\u.Q i= \ +>x -\ h -\ (padded with zeros so 
it makes sense to apply Ft,). 

Choose X,X',k all positive, but small enough such that jn < (1/4 — A — 2A' — n)n — 21 — 1. 
From the uncertainty relation (Corollary I3.4p . we know that H^ X) (XqXi \ &) > (1/2 — 2A)n for 
e exponentially small in n. Therefore, by Corollary I4.3|, there exists a binary random variable 
C such that for e' = 2~ A ' n , it holds that 

H £ + E '(Ii- C - | O, C) > (1/4 - A - \')n - 1 . 

We denote by the random variables Fo, F\ the sender's choices of hash functions. It is clear that 
we can condition on the independent Fqi and use the chain rule (Lemma 12. ip to obtain 

H^ 2£ '(AV C , | eF c ,(X c ,)F c >,C) 

> H £ + 2£ \x^ciFci(Xci) | OFc'C) - H (F C ,(X C | F C >C') - X'n 

> (1/4- A - 2X')n-£- 1 

> 7n + I + kti, 

by the choice of X,X',k. We can now apply privacy amplification in form of Theorem 14.11 to 
obtain 

d(Fi_c(Xi_c) | F^c',eFc'{Xc')Fc'C', E) 

< l 2 -h(^ 2e '( X x-C'\^ cl (X c ,)F cl C')-jn-e) +2 ^ £ + 2e /) 

< \ 2 -¥ n + 2e + 4e', 

which is negligible. □ 

B Computing the Overall Average Entropic Uncertainty Bound 

Let U{d) be the set of unitaries on Tid- Moreover, let dll be the normalized Haar measure on 
U(d), i.e., 



f(VU)dU = / f(UV)dU = / f(U)dU , 

U{d) JU(d) JU(d) 

for any V G U(d) and any integrable function /, and dU = 1. (Note that the normalized 
Haar measure dU exists and is unique.) 
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Let {u>i, . . . , u>d} be a fixed orthonormal basis of Hd, and let B & \\ = {pu}u€U(d) be the family 
of bases i% = {Uuj%, . . . , Uu>d} with U £ U{d). The set £> a n consist of all orthonormal basis of 
Tid- We generalize Definition ^, 2\ the average entropic uncertainty bound for a finite set of bases, 
to the infinite set B a \\. 

Definition B.l. We call hd an overall average entropic uncertainty bound in Tid if every state 
in TCd satisfies 

[ R(P^ r )dU>h d , 

JU{d) 

where P,q u is the distribution obtained by measuring the state in basis flu € i3 a ii. 
Proposition B.2. For any positive integer d, 

is the overall average entropic uncertainty bound in Hd- It * s attained for any pure state in Tid- 

The proposition follows immediately from Formula (14) in |23j for a pure state, i.e. (Ai, . . . , A n ) = 
(1,0, ...,0). The result was originally shown in [35 22J, another proof can be found in the 
appendix of [23j . 

The following table gives some numerical values of hd for small values of d. 



d 


2 4 8 16 


hd 


0.72 1.56 2.48 3.43 




0.72 0.78 0.83 0.86 



It is well-known that the harmonic series in Proposition IB.2I diverges in the same way as 
log 2 (d) and therefore, rrj4gj goes to 1 for large dimensions d. 
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